Should You Still Prioritize Exploit Kit Vulnerabilities?

One of the greatest challenges that enterprises face is prioritizing vulnerabilities for remediation. Trying to determine which vulnerabilities pose a true imminent risk deserving of immediate attention can feel like a game of Whac-A-Mole due to the sheer volume of critical vulnerabilities.

An analysis of CVE data by Tenable Reseach’s Lucas Tamagna-Darr shows the number of disclosed vulnerabilities has grown on average by 15 percent year-over-year – with more than 12,000 unique vulnerabilities being added to CVE in 2017 alone! Of these, over 3,500 were rated with a High or Critical severity. That’s an average of almost 10 per day. And the situation is only getting more overwhelming – we project the total number of disclosed vulnerabilities will grow to above 15,000 in 2018.

The objective of strategic vulnerability remediation prioritization is to identify the vulnerabilities that pose the greatest actual risk to an organization. Many organizations rely on the Common Vulnerability Scoring System (CVSS) to prioritize. But, this yields far too many “critical” vulnerabilities for most organizations to realistically remediate or mitigate given the time and resources available to them. CVSS does a good job of generally evaluating the risk that a specific vulnerability poses. However, it fails to identify which vulnerabilities represent a true risk to a specific organization.

Shifting paradigms – Cyber Exposure management

Situational awareness is now a necessary component of an effective remediation prioritization strategy. This approach is sometimes called threat-centric, intelligence-driven, adversary-focused vulnerability management.

At Tenable, we call this Cyber Exposure. The Cyber Exposure discipline focuses on vulnerabilities that are actively being exploited in the wild by malware, ransomware, Exploit Kits (EKs) and threat actors and are therefore most likely to lead to an actual data breach. Ideally, the business criticality and context of an asset are also correlated to fully assess your Cyber Exposure. The objective is to filter down the overall volume of critical vulnerabilities to a manageable amount that merits immediate prioritization for remediation.

So, situational awareness becomes key. We must take into account adversaries’ activities in the wild and their actual Tactics, Techniques and Procedures (TTPs). Let’s stop looking at vulnerabilities in isolation and “all things being equal.” We should instead look at potential threats and their associated vulnerabilities to identify which ones subsequently represent the greatest risk. For that, you need to evaluate the threats themselves – to determine if they should be on your “watch list.”

Exploit Kits have been a prominent potential threat for enterprises for the past decade, targeting unsuspecting users by infecting them with malware via compromised websites. In the past year, active EK deployments – and their development by cyber criminals – has dropped. So, let’s take a look at whether EKs and the vulnerabilities they target still represent a critical, real-world risk that need to be prioritized first for remediation.

What is an Exploit Kit?

Exploit Kits are used to embed malicious code into a website. They provide pre-packaged exploits that target unpatched browsers and applications. There’s a thriving commercial market offering EKs. And many are easy to use, even by less technical cyber criminals. EKs generally target client-side vulnerabilities.

The majority of attacks using EKs infect a target without their knowledge, through two primary methods:

Opportunistic drive-by-exploitation

Cyberattackers will exploit vulnerable web servers to deploy the EK. They embed malicious code in websites, which can infect any visitor with a vulnerable web browser or enabled libraries and plugins.

Targeted exploitation through phishing

Attackers either set up their own website to deploy the EK or exploit a vulnerable website to do so. They then send a crafted email to a potential victim that includes a link to the infected website in the hope the target will click the link and visit the site.

Historically, the primary objectives when deploying EKs were stealing credentials and banking information, deploying ransomware and using the infected machines as bots in DDoS attacks. More recently though, threat actors are repurposing EKs to mine cryptocurrencies (so-called “drive-by-mining”).

Analysis

We analyzed many different EK’s1 using a variety of sources2 to gather a list of commonly targeted vulnerabilities (see below):

In second place come Microsoft applications, specifically Internet Explorer, Edge and their associated libraries. These targeted vulnerabilities are more recent, with the majority disclosed in 2017.

Threat actors are not dumb. Like any commercial endeavor, they focus on return on investment (ROI). The fact they’re still targeting old vulnerabilities shows they’re still achieving some success with them. But, it also shows that EK developers are having to rely on older vulnerabilities, indicating a lack of more recent effective exploits.

Conclusion: Exploit Kits are in decline – for now

An observant and facetious reader may say the best defensive strategy to protect against EKs is to dump Internet Explorer and Adobe Flash. And there is, in fact, a lot of merit in that advice.

Other browsers are far less commonly exploited by EKs, most obviously Google Chrome, despite a market share of just over 60 percent. Flash is already being phased out, with the proportion of Flash-enabled sites rapidly declining. In addition, Flash will be EOL in 2020. Aside from legacy applications and dependencies, there’s no good reason for anyone to still have Flash installed.

More generally, our overall conclusion is EKs are not the risk they once were. They don’t warrant the same strategic focus as in past years.

To be clear, we’re not saying that you should not remediate the targeted vulnerabilities if you have the resources. But, if your objective is to identify the threats and associated vulnerabilities for remediation that reduce the most amount of real-world risk, EKs right now don’t make the top of the list.

But this will also always depend on what specific software you have deployed and the maturity of your vulnerability management program. If you’re still heavily using IE and have older versions of Flash installed, EKs still pose a relevant threat.

The EK model is mature, tried and tested. And we’re already seeing them being repurposed for other tasks. While the names of the actors may change and the stage is smaller, the play itself has actually become more lucrative if we consider the rise in drive-by-mining.

For now, EKs represent a diminished risk compared to prior years. But, let’s not get complacent. The threat environment is dynamic and constantly evolving. We’ll be monitoring threat activity in case this changes again in the future.

Global

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

Thank You

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

Thank You

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Thank You

Thank you for your interest in the Tenable.io Container Security program. A representative will be in touch soon.

Learn More about Industrial Security

Try Tenable.io free for 60 days. Protect your organization from WannaCry, NotPetya and other ransomware cyberattacks. Get Started

The cookie settings on this website are set to 'allow all cookies' to give you the very best website experience. If you continue without changing these settings, you consent to this - but if you want, you can opt out of all cookies by clicking below.